I just started a migration for a customer who is still on OpenAM 10.2. Yes, my old-time customer who is still using the old JATO UI. :)
So, the deployment architecture is simply straight-forward. We have OpenAM 13.5 deployed on a Tomcat server and we have Apache HTTPd server acting as a reverse proxy. This is where we will tighten the rules for allowing/disallowing OpenAM endpoints from being exposed to the Internet.
Maybe I'm rusty, as I have been busy with other projects using other products. During setup, I kept hitting into issues - Bad request error and No values provided for the request parameter '_action'.
Anyway, after a long while investigation, then did I realized my reverse proxy setting on my Apache HTTPd server was configured wrongly! :)
So I forgot to add a slash to the URI.
ProxyPass /sso/ http://localhost:8080/sso/
ProxyPassReverse /sso/ http://localhost:8080/sso/
Silly me! :)